Detecting & Obscuring Tethering
Abstract:
Network providers have traditionally offered the capability of leveraging the wireless network for portable computers. Recently, certain wireless devices had been omitted from this capability called Tethering. The Apple iPhone may leverage a particular TCP/IP feature called Time To Live (TTL) which may be leveraged to track tethering.
Enter Julian 3:
A user who refers to himself as "Julian 3" who reads "The Register" in the UK posted a comment indicating one way which a mobile device may be differentiated from other mobile devices, as well as how to determine if that device is performing tethering. Julian 3 explains TTL in this fashion:
All IP packets have something called a TTL associated with them. It stands for Time To Live. Every "hop" along the network from one router to the next reduces the TTL by one. When it reaches 0, the packet is dropped. This was introduced to keep routing problems from overloading the network. If for example, by some error a packet was going around in a circular path, the TTL would eventually reach 0 and prevent a packet storm.Julilan 3 suggests that the iPhone uses a TTL of 64 and packets from tethered devices may normally have a different TTL from the packets which originate from their devices. After the packets proceed through the iPhone, acting as a gateway, the TTL in the packet will decrease by one.
Suggested Obfuscation:
Julian 3 suggests the following process to obscure Windows clients.
Apple uses a TTL of 64 for the iPhone, by the way. So change the TTL on your computer to "65" and there should be no problem. Here's how to do it:Network Management Connection:
1. Click Start - Search and type “regedit”. This launches the WIndows Registry.
2. In the registry, navigate to the following registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services
\Tcpip
\Parameters
3. In the right pane, right-click and select New – DWORD (32-bit value) and set its name as "DefaultTTL" and set its value anything between 0 and 255. The value sets the number of Hops or links the packet traverses before being discarded.
This process of detecting a tethered connection is very network centric. Whether or not a network carrier uses this particular process for tethering is really not important. It does demonstrate that various signatures from a client can be used to easily determine characteristics about the source system.
There are plenty of other mechanisms which can be used to identify the source or destination of traffic, including simple things like HTTP headers. Fully obscuring the source system is far more complex than this.
No comments:
Post a Comment